ZeroDayRAT Mobile Spyware

Cybersecurity researchers have uncovered a sophisticated mobile spyware platform known as ZeroDayRAT, currently promoted on Telegram as a comprehensive solution for extracting sensitive data and conducting real-time surveillance on both Android and iOS devices. Marketed as a ready-to-deploy espionage suite, the platform extends well beyond basic data harvesting and ventures into active monitoring and direct financial exploitation.

The operator maintains dedicated Telegram channels for sales, customer assistance, and ongoing updates, providing buyers with centralized access to a fully functional spyware ecosystem. This streamlined distribution model significantly lowers the barrier to entry for cybercriminals seeking advanced surveillance capabilities.

Broad Device Compatibility and Flexible Deployment

ZeroDayRAT supports Android versions 5 through 16 and iOS versions up to 26, ensuring broad device coverage. The malware is believed to be distributed primarily through social engineering campaigns and fraudulent app marketplaces designed to deceive users into installing malicious applications.

Purchasers receive a malware builder that generates customized malicious binaries. These binaries are managed through an online control panel that operators can deploy on their own servers, granting them full administrative control over infected devices.

Comprehensive Device Intelligence and Location Tracking

Once installed, ZeroDayRAT provides operators with extensive visibility into the compromised device. Through a self-hosted management panel, attackers can access detailed information such as device model, operating system version, battery status, SIM data, carrier information, application usage, notification content, and previews of recent SMS messages. This intelligence enables threat actors to construct detailed victim profiles, including communication patterns and frequently used applications.

The platform also captures live GPS coordinates and maps them using Google Maps, alongside maintaining a historical log of the victim's movements. This persistent geolocation tracking effectively transforms the infected device into a continuous surveillance tool.

Account Enumeration and Credential Exposure

A particularly concerning feature is the 'Accounts' panel, which enumerates every account registered on the infected device. This includes widely used services such as:

• Google, WhatsApp, Instagram, Facebook, Telegram
• Amazon, Flipkart, PhonePe, Paytm, and Spotify

Associated usernames or email addresses are also exposed, enabling credential harvesting, identity profiling, and potential account takeover attempts.

Advanced Surveillance and Two-Factor Authentication Bypass

ZeroDayRAT incorporates a range of intrusive surveillance and interception capabilities. These include:

• Keystroke logging to capture credentials and private communications
• Extraction of SMS messages, including one-time passwords (OTPs) used for two-factor authentication bypass
• Real-time camera streaming and microphone activation for live audio-visual monitoring

These features enable adversaries to conduct hands-on, interactive surveillance, turning compromised devices into remote intelligence-gathering assets.

Integrated Cryptocurrency and Banking Theft Modules

Beyond surveillance, the malware integrates financial theft mechanisms. A cryptocurrency stealer component scans for wallet applications such as MetaMask, Trust Wallet, Binance, and Coinbase. When a victim copies a wallet address to the clipboard, the malware substitutes it with an address controlled by the attacker, redirecting transactions without the user's awareness.

A dedicated banking stealer module further targets digital payment services, including Apple Pay, Google Pay, PayPal, and PhonePe. PhonePe leverages India's Unified Payments Interface (UPI), a protocol designed to facilitate inter-bank peer-to-peer and person-to-merchant transactions, making it an attractive target for financially motivated actors.

Evolving Mobile Espionage Threats

ZeroDayRAT represents a fully packaged mobile compromise framework, capabilities that previously required nation-state resources or custom exploit development are now commercially available via Telegram. A single operator can gain browser-based access to a victim's location data, communications, financial accounts, camera feed, microphone input, and keystrokes.

The malware aligns with a broader trend in mobile threats that exploit phishing campaigns and infiltration of official app marketplaces. Attackers have repeatedly identified methods to circumvent safeguards implemented by Apple and Google, often manipulating users into installing malicious applications.

On iOS devices, campaigns frequently abuse enterprise provisioning mechanisms that allow organizations to distribute applications outside the official App Store. By commercializing spyware bundles that combine surveillance and financial theft features, threat actors continue to reduce technical barriers for less experienced cybercriminals while amplifying the sophistication and persistence of mobile-focused attacks.

ZeroDayRAT underscores a critical reality: advanced mobile surveillance and financial exploitation capabilities are no longer confined to elite threat groups but are increasingly accessible within the cybercrime underground.